SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Frethem.F@mm

MEDIUM
VERY LOW
~35 Kbytes
()

Symptoms

Note:This description covers all previous versionsof the Win32.Frethem virus (from A to E).

File setup.exe in the StartUp folder (usually in C:\Windows\Start Menu\Programs\StartUp or in %USERPROFILE%\Start Menu Programs\StartUp).

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender AntiFrethem-EN.exe tool does the following:
  • it detects all the known Frethem versions;

  • it deletes the files infected with Win32.Frethem.F@mm;

  • it kills the process from memory;

  • it repairs the Windows registry.


    • You may also need to restore the affected files.

    For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    Analyzed By

    Costin Ionescu BitDefender Virus Researcher

    Technical Description:

    This is an Internet worm which spreads through e-mail as an attached file. It is written in Visual C and packed with UPX and PePack.

    The format of an infected e-mail is:
    From:
    Subject: Re: Your password!
    Body:
    ATTENTION!

    You can access very important information by this password

    DO NOT SAVE password to disk use your mind

    now presscancel

    Attachments: password.txt where varies in its versions:

    B: Your password placed in password.txt yourpassword.exe
    C: Your password placed in password.txt yourpassword.exe
    D: decrypt-password.exe
    E: Your password placed in password.txt yourpassword.exe
    F: decrypt-password.exe

    The first variant (Win32.Frethem.A@mm) has the following format for e-mails
    Subject:Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!

    Body: Hello!

    Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes!

    You can open attach with web site and samples! Enjoy it!!!

    www.freedesktopthemes.com

    The e-mail also contains the IFRAME vulnerability so if the user reads his e-mail with an unpatched version of Microsoft Outlook or Microsoft Outlook Express, it will be infected when it views the message in the preview pane.

    The virus copies itself as setup.exe in the Startup directory of the current profile (as shown in the Symptoms section). It uses the SMTP servers of the victim and the e-mails stored in Windows Address Book (used by Outlook Express) and in DBX files to send infected e-mails.

    The author wrote in the executable:

    ThAnks tO AUthOr! YOU ArE rEAllY grEAt mAn!
    AlsO thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE mAIlEr IdEA!
    nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!
    Antivirus Software For Home Users
    Business Security Solutions
    Latest News
    Tools & Resources